Network traffic used in network simulations or other monitored interconnection of computers, such as “honeypots,” are generally derived from limited network traces or based on simple rules for statistically generating traffic. In addition, the network traffic used in these network simulations or honeypots may be limited only to a single network stack. These network simulations and honeypots typically focus on isolated network sessions and do not monitor or record network and application behavior.
Moreover, these network simulations and honeypots typically mask portions of the network traffic to prevent the disclosure of a user's identity, but the masking scheme used in these network simulations and honeypots are generally unsophisticated. The masking scheme used in these network simulations and honeypots generally do not account for the tracking of multiple network sessions across multiple dimensions, such as time or user accounts.
Furthermore, in populating the network simulations and honeypots with network traffic, the network simulations and honeypots typically rely on mathematical models of network traffic. However, because computer analysts have, developed advanced techniques for detecting whether generated network traffic is based on these mathematical models, these types of network simulations and honeypots are generally insufficient for use in developing defensive systems to protect against modern intrusions and attacks. Moreover, the most recent generation of sophisticated and automated analysis systems, such as inter-connected automated computer systems that leverage distributed computing resources, known as “botnets,” are designed to detect artificial environments, especially those based on mathematical models of generated network traffic and statistical variation. Because these botnets are able to detect artificial environments of network traffic, the botnets alter their behavior to avoid detection.